From 9bc1f1791de3cb5e3073bd8c5811d0d02b7dde31 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 29 Apr 2024 23:40:53 +0200 Subject: [PATCH] Revert "loop: Remove sector_t truncation checks" This reverts commit f92a3b0d003b9f7eb1f452598966a08802183f47, which was commit 083a6a50783ef54256eec3499e6575237e0e3d53 upstream. In 4.19 there is still an option to use 32-bit sector_t on 32-bit architectures, so we need to keep checking for truncation. Since loop_set_status() was refactored by subsequent patches, this reintroduces its truncation check in loop_set_status_from_info() instead. I tested that the loop ioctl operations have the expected behaviour on x86_64, x86_32 with CONFIG_LBDAF=y, and (the special case) x86_32 with CONFIG_LBDAF=n. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/block/loop.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 6050b039e4d2..860dac8b3f9a 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -243,12 +243,16 @@ static void loop_set_size(struct loop_device *lo, loff_t size) kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); } -static void +static int figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit) { loff_t size = get_size(offset, sizelimit, lo->lo_backing_file); + sector_t x = (sector_t)size; + if (unlikely((loff_t)x != size)) + return -EFBIG; loop_set_size(lo, size); + return 0; } static inline int @@ -996,7 +1000,10 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, !file->f_op->write_iter) lo_flags |= LO_FLAGS_READ_ONLY; + error = -EFBIG; size = get_loop_size(lo, file); + if ((loff_t)(sector_t)size != size) + goto out_unlock; error = loop_prepare_queue(lo); if (error) @@ -1246,6 +1253,7 @@ loop_set_status_from_info(struct loop_device *lo, int err; struct loop_func_table *xfer; kuid_t uid = current_uid(); + loff_t new_size; if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE) return -EINVAL; @@ -1273,6 +1281,11 @@ loop_set_status_from_info(struct loop_device *lo, if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX) return -EOVERFLOW; + new_size = get_size(info->lo_offset, info->lo_sizelimit, + lo->lo_backing_file); + if ((loff_t)(sector_t)new_size != new_size) + return -EFBIG; + lo->lo_offset = info->lo_offset; lo->lo_sizelimit = info->lo_sizelimit; @@ -1531,9 +1544,7 @@ static int loop_set_capacity(struct loop_device *lo) if (unlikely(lo->lo_state != Lo_bound)) return -ENXIO; - figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit); - - return 0; + return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit); } static int loop_set_dio(struct loop_device *lo, unsigned long arg)